You are browsing the archive for File Formats ZOO.

When you are a temp your days are often numbered. So are your file names. Part 1

January 5, 2015 in Compromise Detection, File Formats ZOO, Forensic Analysis, Malware Analysis

Many application create temp files. In the past it was completely random and various directories were chosen depending on application developer’s whim, nowadays the file names are often somehow predictable (as long as the app is legitimate, that is) and both placed inside the %TEMP% folder and named using a pattern that contains a unique prefix followed by a digit, or a number. We can quite often encounter them during forensic investigations. And if you are wondering how these temp. files are created – the applications that know how to behave typically use a Windows API called GetTempFileName; it allows programmers to specify a prefix used by temporary files used by their application. Programmers often specify prefix longer than 3 characters, but the API is using only the first 3 characters as explained in the API description on MSDN:

lpPrefixString [in]

The null-terminated prefix string. The function uses up to the first three characters of this string as the prefix of the file name. This string must consist of characters in the OEM-defined character set.

It may be handy to get familiar with a few well-known temporary file names and prefixes as it may allow us to recognize specific temporary file names families, and potentially use this knowledge to reduce data for analysis (of course, don’t do it blindly).

The list below contains popular temp. file names / prefixes – I am also including other well-known temporary file names:

  • C:\~GLC1034.TMP – side-effect of running Wise Installer; stage 2
  • %TEMP%\<digits>.tmp – typically caused by GetTempFileName API called with an empty prefix (or, file is created ‘manually’)
  • %TEMP%\7zS<digits>.tmp – side-effect of running Self-Extracting installer based on 7z
  • %TEMP%\~DF<hexdigits>.tmp – side-effect of running a Visual Basic Application; described in my older post
  • %TEMP%\~dfs<digits>.tmp – dropped by Adware.DomaIQ
  • %TEMP%\GLB<digits>.tmp – side-effect of running Wise Installer; stage 1 – this is a stub dropping DLL performing the installation (WISE*.dll)
  • %TEMP%\GLC<digits>.tmp – side-effect of running Wise Installer; this is the WISE*.dll – a DLL performing the installation
  • %TEMP%\GLD<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GLF<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GLG<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GLI<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GLJ<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GLK<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GLL<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GLM<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GL<other letter><digits>.tmp – possible side-effect of running Wise Installer; stage 3
  • %TEMP%\IXP<digits>.TMP – directory created by old-school installers developed using IEXPRESS
  • %TEMP%\nsi<digits>.tmp – side-effect of running Nullsoft Installer
  • %TEMP%\nst<digits>.tmp – side-effect of running very old Nullsoft Installer; it uses a hardcoded ‘nst’ as a prefix
  • %TEMP%\ns<other letter><digits>.tmp – side-effect of running older Nullsoft Installer; it uses a random letter following the prefix ‘ns’
  • %TEMP%\scs<digits>.tmp – side effect of running ntvdm.exe on Windows XP; usually two temporary files containing the same content as autoexec.nt and config.nt
  • %TEMP%\sfx<digits>.tmp – side-effect of running GkWare Installer
  • %TEMP%\stp<digits>.tmp – side-effect of running Wise Installer; stage 1
  • %TEMP%\sxe<digits>.tmp – self-extracting executable, a custom installer often used by malware (I am not sure who developed it, it could be some old legitimate installer, or even Windows) – it is dropping a compressed clean DLL (SZDD at the top of the file – usually sxe1.tmp), the DLL is decompressed (usually sxe2.tmp) and reveals itself to be just a decompression library (only one exported function DllInflate), and finally sxe3.tmp is the payload

I am still crunching some data, so there will be part 2.

File Formats ZOO – Installers

April 30, 2012 in File Formats ZOO

Continuing on my previous post I am adding some more information about file signatures.

First, the illustration :)

One of the types of Portable Executable file format that is not so often discussed are installers. For these who don’t know, in most cases a typical installer for Windows is a standalone Portable Executable file with some extra data appended to it (with a notable exception of .msi files that are containers handles by the Windows Installer).

The installer file usually contains two parts. The first part is a standalone setup file that is unique and identical across all installers created with the same version of the (installation) packager/wizard/script. The second part is the actual software that is about to be installed – often preserved in a compressed/encrypted way. The most popular installers include Nullsoft Scriptable Install System (NSIS) and Inno Setup, but there are literally hundreds of them available.

Let me say here that ‘installer’ is a very wide term and can include pretty much any .exe file with any file appended to its end and in some cases – files embedded inside the main .exe (either directly as a data/encrypted data, or as a resource embedded within a resource section). Many well-known formats are used as an appended data. So, one can find .exes with appended JPG files, Flash Movies, other .exe files and many other variants. One very popular type of installers (even if they don’t necessarily classify as a software installer) are self extracting archives e.g. RarSFX, CABSFX, 7ZSFX, etc. All of these are treated here equally ==> .exe + something appended to it.

From a forensic perspective, determining that some .exe is an installer could help in data reduction as long as we can confirm the installer has been executed on the investigated system. All you have to do is to extract the installer and run it in a test environment. The collected artifacts can be then removed from the local copy of the evidence e.g. by a file name. If you remember my preaching post a few days ago on speeding up case processing – deleting files created by a confirmed installer could be a good thing to do /as long as the installer itself is out of scope/. Let’s not overlook this possibility as removing thousands of small files created by software packages often present on the investigated systems could be a very good data reduction technique. Whether it is Java Runtime Environment, Microsoft Visual Studio, Adobe software, or any other large package, we could save a lot of time simply removing these from our view. While I am saying this, I must emphasize that this is a very unexplored area and needs both more research and new tools. Still, any data reduction technique available to an examiner is more than needed and whoever gets it right and gets there first will be cracking cases in no time.

MZ...PE... I.n.s.t.a.l.l.S.h.i.e.l.d.

InstallShield Installer. Contains no appended data.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20  t be run in DOS
62 29 00 00 00 00 00 00 00 00 50 45 00 00 4C 01  b)........PE..L.
00 23 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E  .#...C.o.m.p.a.n
00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 49  .y.N.a.m.e.....I
00 6E 00 73 00 74 00 61 00 6C 00 6C 00 53 00 68  .n.s.t.a.l.l.S.h
00 69 00 65 00 6C 00 64 00 20 00 53 00 6F 00 66  .i.e.l.d. .S.o.f
MZ...PE... _winzip_ …

A self extracting WinZip32 executable. Contains stub (archive extractor) and a typical Zip file. There is no appended data.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 05 00 F0 A4 F5 47 00 00 00 00  PE..L......G....
00 00 00 00 E0 00 03 01 0B 01 08 00 00 E0 00 00  ................
...
[section table]
2E 74 65 78 74 00 00 00 B4 D5 00 00 00 10 00 00  .text...........
00 E0 00 00 00 10 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 20 00 00 60 2E 72 64 61 74 61 00 00  .... ..`.rdata..
42 29 00 00 00 F0 00 00 00 30 00 00 00 F0 00 00  B).......0......
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40  ............@..@
2E 64 61 74 61 00 00 00 DC 54 00 00 00 20 01 00  .data....T... ..
00 20 00 00 00 20 01 00 00 00 00 00 00 00 00 00  . ... ..........
00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00  ....@....rsrc...
88 91 00 00 00 80 01 00 00 A0 00 00 00 40 01 00  .............@..
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40  ............@..@
5F 77 69 6E 7A 69 70 5F 00 30 0A 00 00 20 02 00  _winzip_.0... ..
00 30 0A 00 00 E0 01 00 00 00 00 00 00 00 00 00  .0..............
00 00 00 00 40 00 00 42                          ....@..B
MZ...PE... | … dbload

A perl script converted into an executable with a perl2exe utility.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 1C B2 B8 3B 00 00 00 00  PE..L......;....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 10 00 00  ................
[Appended data]
64 62 6C 6F 61 64 20 31 2E 30 20 73 69 67 6E 61  dbload 1.0 signa
74 75 72 65 0D 0A 0D 0A 80 80 80 80 80 80 80 80  ture............
MZ...PE... | !sfx!.

Self extracting WinAce installer/archive.

4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00  PE..L....^B*....
00 00 00 00 E0 00 8E 81 0B 01 02 19 00 DE 01 00  ................
[Appended data]
21 73 66 78 21 00 53 03 00 00 00 01 B8 AF 00 00  !sfx!.S.........
01 00 00 00 11 00 00 00 06 00 00 00 14 00 00 00  ................
MZ...PE... | 7z

Self extracting 7z installer/archive. Contains stub (archive extractor) and a typical 7z archive.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 49 B5 57 47 00 00 00 00  PE..L...I.WG....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 92 01 00  ................
[Appended data]
37 7A BC AF 27 1C 00 02 E1 AB 8F 68 7E DB C6 00  7z..'......h~...
00 00 00 00 26 00 00 00 00 00 00 00 37 1C 2D 11  ....&.......7.-.
MZ...PE... | BZh

Self extracting Bzip2 installer/archive. Contains stub (archive extractor) and a typical Bzip2 archive.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 B4 CE 3D 3C 00 00 00 00  PE..L.....=<....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 A0 01 00  ................
[Appended data]
42 5A 68 39 31 41 59 26 53 59 75 91 99 30 00 02  BZh91AY&SYu..0..
D9 7F FF FF DF FB FF E3 F5 FF FF FF FF FF FF FF  ...............
MZ...PE... | CWS

Macromedia Flash Player. Contains stub (flash player) and a typical compressed Flash file (CWS).

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
...
50 45 00 00 4C 01 06 00 38 AD 57 3F 00 00 00 00  PE..L...8.W?....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 00 0C 00  ................
...
[Appended data]
43 57 53 07 5E 9A 01 00 78 9C BC 3B 5B 90 1C D5  CWS.^...x..;[...
75 67 7A 7A 66 7A DF 0F AD 34 7A EC 4A 42 12 82  ugzzfz...4z.JB..
MZ...PE... | FWS

Macromedia Flash Player. Contains stub (flash player) and a typical Flash file (FWS).

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 05 00 FD 8A 49 37 00 00 00 00  PE..L.....I7....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 30 03 00  .............0..
[Appended data]
46 57 53 04 ED A0 03 00 70 00 09 C4 00 00 FA 00  FWS.....p.......
00 0C 54 00 43 02 FF FF FF 00 06 44 0B 06 00 00  ..T.C......D....
MZ...PE... | … IFCM

Microsoft Help 2.x.

4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00  MZ..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00  PE..L...........
00 00 00 00 E0 00 01 20 0B 01 00 00 00 00 00 00  ....... ........
[Appended data]
49 46 43 4D 01 00 00 00 00 20 00 00 00 00 10 00  IFCM..... ......
FF FF FF FF FF FF FF FF 09 00 00 00 00 00 00 00  ................…
MZ...PE... | Inno Setup

Inno Setup installer.

4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00  PE..L....^B*....
00 00 00 00 E0 00 8F 81 0B 01 02 19 00 90 00 00  ................
[Appended data]
49 6E 6E 6F 20 53 65 74 75 70 20 53 65 74 75 70  Inno Setup Setup
20 44 61 74 61 20 28 35 2E 31 2E 31 33 29 00 00   Data (5.1.13)..
MZ...PE... | MZ

An executable with the appended data that probably contains another executable. It may be either a custom installer or a wrapper.

4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00  PE..L....^B*....
00 00 00 00 E0 00 8E 81 0B 01 02 19 00 0E 04 00  ................
[Appended data]
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
MZ...PE... | Rar!

A self extracting WinRar executable. Contains stub (archive extractor) and a typical Rar file.

4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 E6 68 F2 46 00 00 00 00  PE..L....h.F....
00 00 00 00 E0 00 0F 01 0B 01 05 00 00 40 01 00  .............@..
[Appended data]
52 61 72 21 1A 07 00 CF 90 73 00 00 0D 00 00 00  Rar!.....s......
00 00 00 00 83 59 7A 00 80 23 00 6E 00 00 00 6E  .....Yz..#.n...n
MZ... PE... | SQ5SFX

Squeez self-extracting executable.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 03 00 BA 1F 9F 48 00 00 00 00  PE..L......H....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 C0 00 00  ................
[Appended data]
53 51 35 53 46 58 CE B0 01 00 05 00 00 00 C7 0C  SQ5SFX..........
00 00 5B 64 65 73 63 72 69 70 74 69 6F 6E 5D 0D  ..[description].
MZ... PE... | sRBV... ResJ

AWinstall Installer.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 94 AD EF 47 00 00 00 00  PE..L......G....
00 00 00 00 E0 00 03 01 0B 01 09 00 00 C6 01 00  ................
[Appended data]
73 52 42 56 06 68 1F 00 16 68 1F 00 06 03 00 00  sRBV.h...h......
52 65 73 4A 7F FF FB 81 C1 79 91 46 DE D1 BB 72  ResJ.....y.F...r
MZ...PE... | Smart Install Maker

Installer created with Smart InstallMaker.

4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00  PE..L....^B*....
00 00 00 00 E0 00 8E 81 0B 01 02 19 00 62 01 00  .............b..
[Appended data]
53 6D 61 72 74 20 49 6E 73 74 61 6C 6C 20 4D 61  Smart Install Ma
6B 65 72 20 76 2E 20 35 2E 30 30 00 30 00 30 00  ker v. 5.00.0.0.
MZ...PE... | SZDD

Executable with appended file being SZDD archive.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
...
50 45 00 00 4C 01 05 00 CE F8 9B 3E 00 00 00 00  PE..L......>....
00 00 00 00 E0 00 0E 01 0B 01 04 14 00 0C 01 00  ................
...
[Appended data]
53 5A 44 44 88 F0 27 33 41 6D F0 A3 01 00 FF 49  SZDD..'3Am.....I
54 53 46 03 00 00 00 F5 60 F5 F0 01 F5 F0 33 15  TSF.....`.....3.
MZ...PE... | wwgT

Installer created with Install Creator.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 03 00 C0 9F C2 41 00 00 00 00  PE..L......A....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 30 01 00  .............0..
[Appended data]
77 77 67 54 29 48 35 14 01 00 6E 02 00 00 F2 06  wwgT)H5...n.....
00 00 01 78 DA AD 94 4F 68 13 41 14 C6 DF EE 6C  ...x...Oh.A....l
MZ...PE... | 0xA3 HK

AutoIt or AutoHotkey script.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 03 00 A2 3E 49 47 00 00 00 00  PE..L....>IG....
00 00 00 00 E0 00 23 01 0B 01 08 00 00 70 03 00  ......#......p..
[Appended data]
A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D  .HK..lJ..LS...H}
41 55 33 21 45 41 30 36 F0 6B 89 18 C1 BC 11 F7  AU3!EA06.k......
MZ...PE... | 0xEF 0xBE 0xAD 0xDE nsisinstall

Old version of Nullsoft Installer. Note characteristic hex string “DEADBEEF” (0xEFBEADDE) at the beginning of the appended data.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 85 A8 25 3A 00 00 00 00  PE..L.....%:....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 60 00 00  .............`..
[Appended data]
EF BE AD DE 6E 73 69 73 69 6E 73 74 61 6C 6C 00  ....nsisinstall.
0D F0 AD 0B 2C 13 00 00 D1 46 09 00 44 46 58 20  ....,....F..DFX
MZ... PE... |  …0xEF 0xBE 0xAD 0xDE... NullsoftInst

Nullsoft Installer. Note characteristic hex string “DEADBEEF” (0xEFBEADDE) at the beginning of the appended data. In some cases, versions of Nullsoft Installer can be found inside the manifest (in the resources of PE executable).

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 05 00 1A 5A A0 49 00 00 00 00  PE..L....Z.I....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 5C 00 00  .............\..
00 00 00 00 EF BE AD DE 4E 75 6C 6C 73 6F 66 74  ........Nullsoft
49 6E 73 74 1D 27 02 00 33 90 17 00 5D 00 00 80  Inst.'..3...]...
MZ...PE... | … PK

A self extracting Zip executable. Contains stub (archive extractor) and a Zip file.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 03 00 5A F5 36 48 00 00 00 00  PE..L...Z.6H....
00 00 00 00 E0 00 03 01 0B 01 08 00 00 00 01 00  ................
[End of file]
50 4B 05 06 00 00 00 00 04 00 04 00 EF 00 00 00  PK..............
FF 99 48 01 00 00 00 00 00 00 00 00 50 15 00 00  ..H.........P...
MZ... PE...  | … Wise

WISE Installer.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
50 45 00 00 4C 01 04 00 3F 6C D8 3B 00 00 00 00  PE..L...?l.;....
00 00 00 00 E0 00 0F 05 0B 01 06 00 00 22 00 00  ............."..
[Appended data]
57 69 73 65 20 49 6E 73 74 61 6C 6C 61 74 69 6F  Wise Installatio
6E 20 57 69 7A 61 72 64 2E 2E 2E 00 ED 5B CD 8F  n Wizard.....[..
MZ...PE... | … ESIV

VISE Installer.

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
...
50 45 00 00 4C 01 05 00 49 E3 5E 37 00 00 00 00  PE..L...I.^7....
00 00 00 00 E0 00 0F 01 0B 01 06 00 00 C0 00 00  ................
...
[End of file]
DA E1 E1 47 47 DA DA E1 E1 47 47 DA DA E1 E1 47  ...GG....GG....G
8F D9 A8 DE F4 9C 03 FF 45 53 49 56 00 10 01 00  ........ESIV....